Reform of European data protection legislation has been going on for more than two years, but we are about to witness a crucial legislative development. When the European Commission unveils in the coming weeks its proposal for a new data protection framework, it will be the most significant global legislative development affecting the collection, use and protection of personal information of the past 15 years.
The draft legislation, crafted by the Directorate General for Justice, Freedom and Security, has already been circulated around other directorate generals and final touches are being applied. Why is this such a critical development? What does the draft say and how will it affect utility companies? Although built on the foundations of the existing Data Protection Directive, the new framework will bring with it considerable changes aimed at rejuvenating a law that has lost its effectiveness to tackle the data privacy changes of the 21st century.
Among the novelties introduced by the new regime will be a regulation. It is widely accepted that a regulation, rather than another directive, will be the best mechanism for a harmonised regime that delivers a consistent level of protection across the European Union. This means that once adopted, the regulation will be directly and universally applicable across all member states without the need for national legislation. There are obvious pros and cons to this approach. While a single law will be beneficial to companies operating internationally, UK companies will lose the benefit of the business-friendly approach of national data protection legislation.
Every EU-based company that processes personal data will be subject to the new law. However, the regulation will extend the applicability of European data protection rules to organisations established elsewhere that direct their processing activities at, or monitor the behaviour of, individuals who live in the EU.
Existing data protection principles such as transparency, finality, proportionality and data quality will continue to be at the core of the legal framework. But in addition, there will be some new ones such as data minimisation (personal data must be limited to the minimum necessary) and accountability (personal data must be processed under the responsibility and liability of the controller).
Individuals’ consent will remain a cornerstone of the law but the standard for valid consent will be higher than ever before, with a greater emphasis on the individual’s freedom of choice. Among the enhancements likely to form part of the new rules are that the controller must bear the burden of proving that the data subject has given consent; and if consent is given in the context of a written declaration on another matter, it must be made distinguishable in its appearance from this other matter.
Some rather radical changes are likely to come in the shape of new or strengthened individuals’ rights. Top of the list will be the much-publicised right to be forgotten, followed closely by data portability rights. No doubt the Commission will want to give people as much control as possible over their data, particularly in relation to profiling activities. The regulation will also require companies to provide their customers with additional transparency information such as the period for which the personal data will be stored, the different rights available to individuals, and whether their personal data will be transferred
internationally.
As a flipside of the increased rights of individuals, controllers are bound to face specific responsibilities, ranging from the adoption of policies and principles such as privacy by design and privacy by default, to the training of staff and the appointment of data protection officers. For most companies, this will be one of the most noticeable differences with the existing regime, because putting in place a comprehensive data protection compliance programme will become a legal obligation in the black letter
of the law.
As is already the case for providers of communications services, an obligation to notify security breaches to data protection authorities (and in some cases to the individuals affected) will also now apply to all controllers. Again, this will represent a significant departure from current practices and will make the likelihood of investigations by the data protection regulators much greater.
Greater flexibility is expected on international data transfers alongside an express recognition for binding corporate rules (BCRs), which will be available to both controllers and processors. The Commission has made it clear it expects BCRs to become the norm for all international companies going forward.
In terms of data protection authorities, the main novelty on this front is bound to be in relation to their geographical competence. In all likelihood, the data protection authority of the member state where the main establishment of a data processing organisation is based will be responsible for supervising that organisation across the whole of the EU. We can also assume that greater international co-ordination mechanisms will be in place. The Commission’s promise of stronger enforcement powers for data protection authorities is bound to bring harmonised and hefty monetary fines of potentially up to 5 per cent of annual worldwide turnover.
So what are the practical implications for utilities? Multiple customer acquisition channels, loyalty schemes, smart metering and tougher competition generally will make data protection compliance a much greater priority. In the light of the forthcoming regime, there are some immediate actions that should be at the top of the
list, including:
l Legislative outreach activities. The legislative process initiated by the Commission will carry on in the coming months, so there are clear opportunities to influence the outcome by reaching out to legislators and policymakers, both in Brussels and at a member state level.
l Privacy policies and consent forms. As transparency and consent take centre stage, the importance of deploying the right privacy policies and consent forms will be paramount. The time for reviewing their content and channels of communication
is now.
l Subject access and other rights. Having suitable procedures to comply with subject access and other individuals’ rights will be the key to getting this aspect of compliance right.
l Accountability framework. Under the new regime, providing evidence compliance will be vital. This means adopting easy to find and understand internal compliance policies and implementing a sensible line of responsibility.
l Flexible international data transfers. The days of blindly signing up to so-called model clauses and putting the contract in the drawer are over. BCRs are tipped to become the way to go and the only guarantee for an effective global data protection approach.
The Commission has crafted a framework that aims to address the regulatory requirements of today’s and tomorrow’s data protection. How utility companies respond to this challenge will be critical to their success.
Eduardo Ustaran is a partner and head of the privacy & information law group at Field Fisher Waterhouse.
This article first appeared in Utility Week’s print edition of 20 January 2012.
Get Utility Week’s expert news and comment – unique and indispensible – direct to your desk. Sign up for a trial subscription here: http://bit.ly/zzxQxx